It’s Time for Lawyers to Re-Think the Cloud

shutterstock_146680703
computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

We are living in 1984. The novel, that is, not the year. Big Brother is watching you — and reading your emails, browsing your contact lists, keeping tabs on your call history, and tracking your movements. If you represent non-US clients, Big Brother may even be reading your confidential attorney-client communications, according to the New York Times.

This probably does not raise any serious ethical concerns for most lawyers. That is, I don’t think you will lose your law license because you use email. But it should make you pretty uncomfortable.

And while there is probably no reason to panic, it also means you should probably change the way you use the cloud.

I no longer think it is wise to use the cloud as the default place to store your information. Maybe that was always a bad idea, but it definitely looks like a bad idea now.

A year or so ago, I thought it made sense to use the cloud as a default. I put nearly all my information in the cloud, unless there was a good reason not to. After last June, the documents released by Edward Snowden started hitting the media. We now know that the NSA is not only vacuuming up information from the public Internet, but infiltrating major companies, undermining fundamental security software, and even intercepting computers in the mail to install spyware. It is also unclear which companies are cooperating, although some seem like they might even be on the NSA’s payroll.

Apart from governments — our own and others — the last few years have seen a resurgence in malicious hacking by non-government actors. It seems like every week we get a new warning to change our passwords because a popular cloud service has been compromised.

I no longer think it is wise to use the cloud as the default place to store your information. Maybe that was always a bad idea, but it definitely looks like a bad idea now. I think we have to assume that the government has (or can easily get) access to anything you send through the air or over a wire, especially (but not only) if it is unencrypted. So can many others. So if you weren’t already thinking carefully about what you put in the cloud, you must do so from now on. Put stuff in the cloud only when it needs to be in the cloud.

Be Smart About the Cloud

There is no reason to fear the cloud. Instead, be smart about the cloud. If you choose your services carefully, using the cloud is at least as secure as not using it, and it can be more secure. In fact, for most people the cloud is far more secure than hosting a private server.

“[E]veryone needs to recalibrate their baseline expectation of confidentiality ….”

I reached out to several cloud software vendors to find out what they are doing in the wake of the Snowden revelations. None of them are using RSA, and all of them say they are using best practices when it comes to security. Clio‘s Jack Newton probably described the general feeling best when he quoted Microsoft’s general counsel, Brad Smith, who characterized the NSA as an “advanced persistent threat.” MyCase‘s Matt Spiegel said that “these are concerns we have always known existed,” and that Snowden’s revelations were merely confirming what most security experts already believed. Rocket Matter‘s Larry Port agreed, saying “the NSA revelations were a gift, in that now everyone else is as paranoid as I am.”

Newton admitted, though, that “everyone needs to recalibrate their baseline expectation of confidentiality … every medium is less secure … whether it’s a cell phone, personal computer, private server or a cloud-based application.”

Related“5 Things I Wish You Would Learn About Computers”

On the basic question of whether the cloud is more secure than managing your own IT infrastructure, Spiegel (unsurprisingly) called the cloud “infinitely more secure, for many reasons, than data simply being kept on your local computer or server.” He has a vested interest in saying so, but I tend to agree with him. Few enough lawyers are proficient with Microsoft Word, much less setting up solid automatic backup or a secure file server, and there aren’t many lawyers willing to pay a security professional to keep their network secure at all times.

Still, lawyers have a duty to use appropriate security, and to me, that means using the cloud only when necessary.

Re-Think Your Use of the Cloud

If you only had one computer and no smartphone or tablet, you could probably get by just fine without the cloud. But most of us now have at least two devices, and we really want to be able to sync up our email, calendars, tasks, and access documents wherever we are and whatever we are using.

Related“How to Share Files with Clients”

Currently, the only way to do that is the cloud. (The “personal cloud” concept is just beginning to take shape, but it is not yet a realistic option for most users.)

Email

Email was cloud-based before the cloud was even a thing. And storing your messages in one place just makes sense, whether that is Gmail or your own server. But email, by its nature, is not very secure. Most email is transferred unencrypted and in the clear. Think postcards, not sealed envelopes. It is so easy to intercept email in transit that anyone who wants a copy will probably get one.

Because of the relative insecurity of email, you have two choices: watch what you say over email, or encrypt it.

In general, watch what you put in email and talk to your clients about email security. If you would not want the NSA to read your message, do not put it in an email. In fact, an experienced lawyer once told me not to put anything in a letter that I would not want to see on the front page of the newspaper. That sounds like a good guideline for email, too.

There are two alternatives for securing your digital communications: secure portals and encryption.

A secure portal is a website you can only connect to via HTTPS that holds any messages (and often, files) you want to give someone else access to. For example, you would log in, type a message to your client, and hit send. Your client would get an email letting them know they have a message, which they would have to log in to get. A secure portal is cumbersome, but it is an effective extra layer of security. (It is also a good idea if you are representing employees and worry about them reading emails from you at work.)

Some secure portals include Clio and MyCase, which send notifications by email, but do not include the substance of the message.

Another, higher-security option is encrypting your emails. This works, but it is even more cumbersome than a secure portal, and you will have to train your clients to do it properly. Still, if you want to secure your communications, email encryption works.

Calendars and Tasks

Calendars and tasks are much more useful when stored in the cloud so you can sync them between devices and share calendars with co-workers and family members. But meeting requests generally go out over email, and not all online calendars are secured by HTTPS by default (Google Calendar is a notable exception).

To ensure calendar and task security, look for cloud services that use HTTPS by default, and avoid sending meeting requests if doing so would reveal confidential information.

Documents

Documents are especially handy when kept in the cloud. The ability to pull up your client files from anywhere using your smartphone is pretty great. But you definitely don’t need anytime, anywhere access to all your files. There is probably no reason to store your closed files in the cloud, for example.

Cloud file sync and storage also includes a variety of security levels. Dropbox, probably the most-popular option, transfers your files over a secure connection, but does not encrypt your files until they reach Dropbox’s servers. And Dropbox is able to decrypt your files. Plus, Dropbox may be cooperating with the NSA.

Still, Dropbox is widely supported by mobile apps, making it the best choice for files you really do need to be able to get to anytime, anywhere. Which is why I still use Dropbox for some things, like draft blog posts and eBooks, camera uploads, and board meeting documents for the non-profits I work with. But I don’t put my client files in Dropbox anymore.

You could use something like Boxcryptor or Viivo to add an extra layer of encryption to Dropbox. I found Boxcryptor to be clunky, but Viivo works great and makes it easy to open your files in other mobile apps (although they will not be encrypted in those apps, obviously).

SpiderOak is often touted as a more-secure alternative to Dropbox. It is, as far as I can tell, but the security comes with some downsides. Like Boxcryptor and Viivo, almost no mobile apps support SpiderOak, which limits your options for getting your files onto your phone or tablet.

You can either have security or convenience, in other words. Not both. At least not yet. Recent updates to iOS are making it easier for apps to interact, which makes it less important which cloud file storage service you decide to use.

Another option is to skip the cloud entirely and use BitTorrent Sync. As we have discussed in the Lab, BTSync is relatively new, and has yet to either open-source its code or submit to a security audit. That said, BTSync is file sync without the cloud. It syncs up files between your computers and devices, but they are never stored on anyone else’s servers. Files are transferred (really quickly) over a secure connection, which means it is just as secure as Dropbox file transfers, but you don’t have to entrust your files to a third party. And while app support is weak, there is a nice BTSync app, which lets you view your files and send them to other apps. BitTorrent Sync is also growing really fast, which means third-party support should follow. Plus, it is free.

For backup, I continue to recomment a combination of local backup and CrashPlan, which is about as secure as the cloud gets.

When Not to Use the Cloud

The bottom line is my new philosophy when it comes to the cloud: only use the cloud when you need to. And if you do use the cloud, make sure you choose the right level of security for the data you put there. If you don’t need to use the cloud, keep the information local and encrypted.

That said, I continue to think lawyers should use the cloud. The new comment to Rule 1.1 cuts both ways:

[A] lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ….

If you don’t use appropriate technology, you are doing your clients and your ethical obligations just as much a disservice as if you use inappropriate technology. Sometimes, the cloud is the right tool for the job, and sometimes it isn’t. You cannot ignore it, but you cannot dismiss it as an option out of hand, either.

Updates

  • 2014-03-10. Originally published.
  • 2014-10-17. Revised and republished.

Featured image: “Businessman hand working with a Cloud Computing diagram” from Shutterstock.

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Paul Spitz

    Well, thanks a lot for ruining our day! Just kidding, but maybe not so much. I just got comfortable using email and the cloud, in good part due to the confidence people here shared. And now, I’m back to shoving bitcoins into shoeboxes under my bed.

    But let me add this consideration to whether the cloud is really insecure or not. Everyone needs to ask himself, does the NSA really give a rats tuchus what I’m working on? For example, if someone is handling white collar criminal cases or M&A and securities issues for prominent public companies, the cloud and email may not be secure. I can see how maybe the government might be interested in e-mail communication between Steven A. Cohen and his attorney. I can see how the NSA might be snooping in on the cloud storage of lawyers representing prisoners at Gitmo. That makes sense. I can’t see how the government or anyone else would be interested in mundane matters for mundane clients, however. If you are representing the average schmo in a divorce case, I really doubt the other side is hacking into your email or cloud storage. And if opposing divorce counsel is that sophisticated, I daresay you were going to lose anyway.

  • My thoughts are along the same lines as Paul – I think the type of cases and client information you are dealing with really dictates how far you need to go to avoid the NSA-cloud risks. Sam, your points are well taken, and I don’t really disagree with anything you are saying.

    My only concern is that people will not get the nuance of what you are saying and overstate the gravity of the real security or privacy interests at stake. I practice in Canada and we just got past the “Patriot Act” Bogeyman arguments against cloud tech given that much of the data were stored in servers outside of Canada. Now the NSA provides fresh ammunition for the cloud-haters.

  • JRW

    This post is, of course, incredibly alarmist; sounding an Orwellian alarm bell in connection with the case files of lawyers likely to use utilities such as Clio, Dropbox, etc.–mostly solos and smalls–is way over the top. Paul is correct that the sort of practice you have and the sorts of clients you work with are the most important factors in determining whether you should use the cloud and how you should use it. Accordingly, most of the folks who read this blog can all but disregard this “chicken little” argument…the sky is not falling. Although I doubt any of my clients in my plaintiffs’ civil rights practice would appreciate being characterized as “shmoes” or their legal issues labeled as “mundane.”

    • This post is, of course, incredibly alarmist

      Did you even read the post? If you did, please explain how “only use the cloud when you need to” is alarmist rather than sensible.

    • Paul Spitz

      Well, no offense intended! And you know, a civil rights practice is likely to make security concerns very important to you and your clients.

  • Martin

    I see one major challenge: There is no global attorney–client privilege while Internet usage including cloud computing usually happens in a global context. So while American lawyers and their clients are protected if American cloud services are used, lawyers abroad cannot use such services except maybe for e-mail (as explained by Sam).

    As a sidenote: Secure portals are usually not that secure because they do not offer end-to-end-encryption. You still have to trust the provider.

    And as another sidenote: An alternative to Spideroak is Wuala, see http://www.wuala.com/.

  • Craig Hensel

    Look into Egnyte for cloud file storage. It’s similar to Dropbox, but with much better permissions control for when you’re using it as a server for your entire firm. I’ve tried nearly every cloud storage program out there and Egnyte is the best for a multi-employee firm, hands down.

  • Alvin Foreman

    Is there really any reason to be concerned about what the NSA knows about the typical neighborhood consumer law practice? I think that most people (well, at least the 24 tv show fans like me) assume that the NSA sees, hears, and collects all anyway. I am concerned about hackers, but I see no reason at all to worry that the NSA knows I’m meeting with Mrs. McGillicuddy next Tuesday to discuss her will. As long as cloud service providers have strong enough security to keep out the bad guys, I see no problem with using them. It seems to me that the NSA/Snowden story is a non-issue for most solos/small firm practitioners.

  • The bottom line is that as convenient as tech has made comms to accommodate society’s newfound on the go 24x7x365 lifestyle, the fact is, the US govt has ensured warrantless surveillance by default for itself in spite of the Constitution and anyone who has ever worn a uniform/died for this countries’ former freedoms. If that doesn’t disturb you then you have already been lost to Big Brother’s boot stomping on a human face.

  • 100% in agreement with Sam – Further, if one reads the privacy policies (in its entirety) for Google Drive, Dropbox, Microsoft Azure, and any other cloud based service and continues to think that the cloud is the way to go for all your document storage needs, I would say that person is drinking too much Cloud Kool-Aid. There is nothing 100% secure and it will be a while until we get to that point, if ever. – just ask Target.

  • Kyle McDonald

    I don’t like the thought that The Government — any government: yours, mine or someone else’s — might or does look through any of my files, whether they’re personal, work-related or client-related.

    I do what I can to make this information secure. I encrypt my hard drives; I use strong passwords and a password manager; I use two-factor authentication where that’s available. My guess is that in those circumstances, if I were ever questioned or challenged over why my client data was accessed by or accessible to a secretive government organisation embarking on arguably illegal surveillance, I reckon I could confidently say I’d done all that I could.

    But I understand that’s not really your point Sam. You’re suggesting that in the face of technical inability to prevent this from happening, we shouldn’t place the data in the cloud unless absolutely necessary.

    But I wonder if the alternatives are necessarily any better?

    Edward Snowden said in his address to the EU (http://site.d66.nl/intveld/document/testimony_snowden/f=/vjhvekoen1ww.pdf) that not only can the NSA get in to cloud-based stuff, but if it really wants in to our data on a computer, it can get that too. Now, I understand that you’re talking about the broad-based dragnet-type surveillance, not the targetted sort of surveillance that Snowden says can’t be prevented. But surely that comes back to what’s reasonably practicable for a modern lawyer to secure data?

    It seems that the only way to truly prevent this would be to revert to paper-based practice, with all the drawbacks and insecurities that that entails. Whilst I haven’t heard of large-scale illegal interception of postal mail, could it be even easier to do than for electronic communications? I don’t know…

    I don’t like it one little bit that we might be being surveilled, but it seems that unless my client data contains keywords or something else to flag it as of interest to the X-files people, it will never be actually read by human eyes. And of course, I’ve always got the option of encrypting anything sensitive. (Though you noted the problems with that in another post.) I don’t like it one little bit, but at the moment, it seems to me that cloud-based data storage with prudent levels of security is a least-worst solution.

  • Andrew Cabasso

    Thanks for the update to this post.

    When it comes to online privacy and security, I often encounter people who state, “I have nothing to hide.”

    Earlier this week, Edward Snowden gave an interview via Google Hangouts (a bit ironic) for the New Yorker Festival, where he called out the “I have nothing to hide” sentiment. He said:

    When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’ You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’ The way rights work is, the government has to justify its intrusion into your rights.

    I just tried out SpiderOak (2gb free, nowhere near as much as the 16gb I got with Dropbox) and it seems to work fairly similarly to Dropbox. I can probably live without the mobile app…

  • I agree with your reassessment of the risk of using the cloud but I don’t think as drastic a retreat from the cloud is necessary. Many lawyers will be shifting the burden to themselves or their IT staff. For all that Mr. Spiegel is self-interested in the cloud’s security, he’s probably right. My own reaction over the past 12 months was to switch to an offline password manager and resetting all passwords so that they’re long and unique, upgrading to a router that supports open source (and frequently upgraded) DD-WRT firmware to better protect my network’s Internet connection, and trimming back the number of cloud services I used to just those that were key.

    I’m not sure most lawyers are doing what it takes to protect their own systems (for example: http://www.lawsitesblog.com/wp-content/uploads/2014/09/Security-Tools-Used.jpg ). At least in the cloud that’s 100% encryption. There are tools and staff focused on intrusion detection. Passwords seem to be a frequent problem and your thorough article (https://lawyerist.com/73015/passwords-guide-lawyers/) was probably new to some lawyers. Staying off the cloud isn’t going to strengthen those weak links; it may just obscure them.

    The cloud can still be the default for many practice areas and client matters, rather than only when you need to, but like any use of technology that involves client confidential and, increasingly, personal private information, lawyers need to do the same legwork in the cloud that they’re doing to protect their information in their office.

    [Disclosure: I wrote a book about practicing in the cloud so, yes, I believe in the cloud’s possibilities, and no, I’m not a practicing lawyer, so I realize I don’t have the skin involved that lawyers subject to regulation do.]

  • Dan Mills

    Excellent analysis Sam. DC lawyers I know who litigate with NSA don’t keep client data on servers exposed to the internet. Some lawyers who litigate with DOJ don’t keep data on servers at all.

  • Ben

    I agree somewhat with your post, but some of what you’ve written requires clarification. First of all, with regard to your reference to DropBox, I’d suggest Microsoft OneDrive provides a simpler and better way to store your own files in the cloud. For anyone who has signed-up to Office365 (for $10/month or $99/year, you get the latest version of Office and a mailbox and all sorts of storage – 1TB in OneDrive), it’s a very easy way to move files between PC and phone very readily.
    Second, your suggestion that “the only way” to sync things is via “the cloud,” this is not true for most medium to large law firm folks who, typically, have very capable IT systems which for the past 10 years should have been providing such capability. If you’re at a firm that size and not able to sync devices and access your work anywhere, anytime, I’d suggest you’re in dire need of some IT consultancy or a new CIO.
    “Personal cloud” storage is fairly mature and simple and various manufacturers have decent products – WD, Seagate, and Verbatim all make nice products. Also, if people spend a few bucks to buy their own domain name and host at a respectable provider (such as 1and1), they have inexpensive options for hosted Exchange accounts that allow multiple device access (such as a phone and various computers).

  • Jerome Paun

    Thanks for a thoughtful and well written post Sam. I agree with you that we all should be concerned about our government’s ability and willingness to disregard basic Constitutional rights. I will not quote him here, but for those of you who are not particularly worried because you think the government has no reason to be interested in your clients or you, I would suggest you consider Pastor Martin Niem?ller’s reflection on those who did not speak out against the Nazis.

    Though I use the cloud to some extent, I have always been concerned about security. In my quest for convenient accessible and low cost storage and sync options, I invested in a pair of Transporters. This solution seems to work reasonably well. For those of you unfamiliar with the Transporter sync and back-up, I’ll briefly describe how it works.

    You can buy a Transporter with one terabyte of hard drive storage for about $200, no monthly fees or subscription costs. I bought two of them. One is installed in my office and the other at home. The computer files I have selected remain resident on all of my computers with a copy on each Transporter. When a file is modified on any computer, tablet or smartphone that you have connected to the Transporter, the file is synced with the Transporter and then, via the Transporter all other versions of the file are automatically synced but none of the files are stored in the cloud; they are stored on the Transporter in my office and in my home and are resident on each connected computer. If wifi or internet go down or are unavailable before a sync can happen, the modified file is still resident on the device where it was modified and when connections are reestablished, the files on the transporters and other devices will be synced. So for $400, I have my selected files redundantly synced on and off site without the vulnerability and monthly or annual fees of cloud storage. If the government wants to see my files legally for any reason, it needs to serve me, not some third party, with a warrant.

    If this interests any of you, you could learn all about this system by researching Transporters on the iPhonejd blog; that’s where I learned about it.